I'm trying Kubernetes in a Azure environment (AKS).
I have an nginx ingress deployed and exposed to internet through a public ip and an azure load balancer. It is used to expose public/front services.
My issue is I would like to deploy 'back' services, not exposed to internet. My first guess would be to deploy a second ingress and expose it on the internal load balancer, am I right ?
But what if my front services needs to consume the back services, can I consume it over the second ingress (to use nginx configuration, ssl offload, etc) but not do a round trip to the internal load balancer. What will be the DNS configuration in that case?
You do not need to deploy a secondary ingress service. All you need to do is make your service endpoint [IP] private and they should be able to talk to your ingress service only.
So how you create a private IP: https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip
Ingress controllers are made for external traffic. For in-cluster communication it is best to use Kubernetes Services which will configure the DNS inside the cluster. With a Service you'll be able to call your backend service without doing a roundtrip to an external resource, the load balancing will be done natively inside the k8s cluster. Nothing prevent you from deploying an nginx pod or inject it as a sidecar in your backend service pod and use it as a reverse proxy, but do you really the nginx configuration and mutual TLS for in-cluster communication? If you really need mutual TLS, you better look at something like Istio, but it is probably overkill for your use case.